Re: ADAM SP1 on Win2K3 SP1
- From: Bo Zhu <ffkiller@xxxxxxxxxxxxxxxxx>
- Date: Fri, 01 Sep 2006 17:52:04 +0800
The log message I got from Windows Event Log is:
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.
Additional Data
Error value:
8009030e No credentials are available in the security package
I did a search on Google and didn't find anything particularly useful.
-zhubo
Lee Flight wrote:
Hi.
did you restart the ADAM sevice after you added the read permission
for the key?
If it still fails after a restart then try bumping the debugging level of
the Schannel provider
http://support.microsoft.com/?id=260729
set it to 0x7 and then (1) restart the ADAM instance service and
(2) attempt the SSL connection and see what Schannel logs in the
system event log.
On the general question, add the permissions to the key and
then change the account with dsdbutil and then restart the service
should be OK.
Lee Flight
"Bo Zhu" <ffkiller@xxxxxxxxxxxxxxxxx> wrote in message news:eZwDwRPzGHA.3568@xxxxxxxxxxxxxxxxxxxxxxx
The problem remains after I granted Read permission of every file in MachineKeys folder to the domain user. ldp.exe still fails with the same error code 0x51 Server Down, which doesn't make any sense.
Now I have a general question. Assuming SSL on ADAM is working fine and i want to use antoher domain user account as the ADAM service account. Do i only need to grant that account READ permission to machine keys and use dsdbutil to change the ADAM service account? Or I have to go through the entire process starting from requesting certificate all over again to use the new domain user account as the ADAM service account?
Previously what I did was that I went through the entire SSL setup process while logged on as a domain admin, and subsequently picked a normal domain user account to run ADAM.
Lee Flight wrote:
Hi
as you noted if running ADAM on a DC you should be
using a standard doamin account not Network Service.
There are some notes on ADAM SSL configuration here:
http://groups.google.co.uk/group/microsoft.public.windows.server.active_directory/msg/6a89876d200518cf?hl=en
In particular note that you must set appropriate permissions on *individual*
keys in Users\ApplicationData\Microsoft\Crypto\RSA\MachineKeys as
the keys in that folder do not inherit permissions.
Lee Flight
"Bo Zhu" <ffkiller@xxxxxxxxxxxxxxxxx> wrote in message news:edYZ7XnyGHA.4104@xxxxxxxxxxxxxxxxxxxxxxx
Okay, the second mystery is solved. I didn't use dsdbutil to change ADAM service account, that's why I'm getting some JET DB related error.
The first problem remains there.
Bo Zhu wrote:
Hi,
I have two questions related to ADAM running on a domain controller.
1. SSL connection with non-administrative acccount
I followed a pretty detailed step-by-step guide (http://www.oftedal.no/~erlend/?blogid=7) on how to setup SSL certificate with ADAM, like generating a server authentication certificate, place the certificate in service account certificate store, granting read acccess to private key files, etc. But after all confiugration steps were done, I was only able to connect to my ADAM instance through SSL if ADAM is run by an Administrative account. If I run ADAM service with "NT Authority\Network Service", which is the default account selected during ADAM instance creation, ldp.exe always fail to connect with the following error message:
ld = ldap_sslinit("ffkillervm2k3.zb.encentuate.com", 50001, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ffkillervm2k3.zb.encentuate.com.
I found something in one ADAM FAQ from Microsoft that says I can use "certutil -store my" command to see the file name of the private key whose Read permission should be granted to the service account used to run ADAM service. But all I got for the "Key Container" attribute after running this command is the name of root CA certificate I generated earlier. I even granted Read permission of "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" folder and all sub-folders to "NT Authority\Network Service" account and still SSL connection fails.
2. Running ADAM service with a domain user account
ADAM Help states I should not run ADAM service with "NT AUTHORITY\NETWORK SERVICE" account if the instance is running on a domain controller. So I created a new domain user in my test AD and used that account to run ADAM. I have also enabled "Log on as a service" and "Generate security audits" for the new domain user account in Default Domain Contollers Policy. Unfortunately I'm not able to start ADAM service with that new domain user account.
A quick examination of Windows events shows one error:
Active Directory could not be initialized.
The directory service cannot recover from this error.
User Action
Restore the local directory service from backup media.
Additional Data
Error value:
-1032 JET_errFileAccessDenied, Cannot access file, the file is locked or in use
Any help is appreciated.
Best regards,
Bo Zhu
- Follow-Ups:
- Re: ADAM SP1 on Win2K3 SP1
- From: Lee Flight
- Re: ADAM SP1 on Win2K3 SP1
- Prev by Date: Re: Prevent software install
- Next by Date: Re: default web home group policy
- Previous by thread: Re: Prevent software install
- Next by thread: Re: ADAM SP1 on Win2K3 SP1
- Index(es):
Relevant Pages
|
Loading
